Russian Nesting Dolls: Turla got into the ISI who was into an Indian Embassy, & how we found them

Thank you so much for coming to Bides Las Vegas. Uh this talk uh Turlo on the side is being given by Adam Adomitis. And I have a few announcements to make before we begin. We'd like to thank our sponsors, especially diamond sponsors Adob Adobe and Aikido and our gold sponsors formal and drop zone AI. It's their support along with our other sponsors, donors and volunteers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. If you have a question, please use the audience microphone which is over there so YouTube can hear you.

And as a reminder, besides Las Vegas photo policy prohibits taking pictures without the explicit permission of everyone in the frame. These talks are all being recorded and will be available on YouTube in the future. Uh thank you so much. And with that, >> thank you. >> Of course. [applause] >> Good morning everyone. Can we everyone hear me? Good in the back. Awesome. Awesome. No, kind of better. Do you want me to just yell? I can yell for the next hour. Buler. Beer. Okay, there we go. Now we're good. All right. Thank you guys for all coming today. You could be literally any rogues in the world, but we have all chosen to be here at Vegas

to talk about one of my favorite thacers in the entire world, a group called Tura. This is a group who's known for backdooring the back door. So, fun little fact about me. My name is Danny Adamitis. I am a distinguished engineer at Lumen Technologies. It's a great company that pays me every two weeks. Why I still don't know. Uh I've been in the CTI space for about 10 years. Um I was part of twothirds descriptions. I drink way too much coffee. So I'm going to be speaking very very quickly for the next 45 minutes. But on the bright side, I do have one redeeming quality. I have this wonderful dog named Cookie. She unfortunately couldn't be here, but she's going to be

with us throughout this entire presentation because sometimes you just need a little bit of levity to cut the undertones of how horrible the internet is. Moving on. So, we're going to talk about how we first discovered a group called Copy, how we then started moving into the secret blizzard or tur space. And we're going to talk about the larger context, some questions, and what this all means to us. So first section discovering a group called scik copy or as I like to put it the part of the internet that isn't PRC operations ransomware artificial intelligence it does exist people it's just very very small all right side copy for those of you who are unaware of them this is a Middle

Eastern Pakistani based group um they've been active since about 2019 based off some public reporting and their ttps are just a little bit different than the transparent tribe if you're familiar with that group. Um, they're known for predominantly using things like fishing and a combination of open source and custom frameworks. Uh, we're going to kind of get into this one a little bit more. They're kind of just trying to evade EDR. They're not really going to be the most advanced, sophisticated group we've ever talked about before in the world because they are more of a regional actor. They have a regional focus in Southeast Asian organizations. So again, think of places like India. There's a little bit Nepal, Jordan,

Iran, kind of that area of the world. Um they are known for targeting things like government entities, law enforcement, critical infrastructure, military entities. And thus far we've seen a lot of focus on offensive operations for the purposes of espionage. But there was a couple things in there that just made me kind of pause for a little bit that we'll kind of get into in a minute. So one of my favorite questions is whenever I start talking about these wonderful campaigns or one of these actors, I always inevitably get a question from someone afterwards that goes, "Hey, how did this all start?" and like what just tipped you off at first. So, I figured let's just start

incorporating that into the slides. Uh way back in December of I believe it was 2021, we were I was just kind of searching through Virus Solo, as all good people do at 10:00 at night when you can't sleep, working on my Y rules. What else would you do at night? And we came across a wonderful link file that had the words Microsoft 10 ery. Ay was with the I. That's their misspelling, not mine. I know that. That's why I have to call it out. I got yelled at for that one. We started to then analyze this wonderful link file and we discovered this kind of malware family that we're later calling reverse rat. The really

interesting thing about this that piqued my interest is they had a capability that was specifically targeting removable media and things like USB drives. They were trying to copy all the contents of anything that was on a USB drive and then trying to propagate to it. This was kind of interest. If anyone here has a background in critical infrastructure, a lot of those networks tend to have an air gap. Oh yeah, but we still need to transfer files from one system to the other. So how do we do that? Propagate over to USB drive. Yeah, there we go. So once we started to extract that, we're able to get some command and control IP addresses. And

that's kind of where this all started. Now the slightly more in-depth version of how that all worked looked a lot more like this. Um, since we do have a full 45 minutes, we'll kind of go over all this. They were sending these zip files as a fishing lure. Once you unpack that zip file, you would get this Microsoft shortcut file or a link file, LNK. This would deploy some sort of decoy PDF document that would be about some UN sanctions, the state of the military, the latest news sample, just something that we think would kind of peique the interest and make people not realize that there was 14 other things happening in the background. We were then seeing

them actually use things like compromised domains which was kind of interesting because again they were just kind of living somewhat of a way living off of a domain that we think people would actually legitimately visit and it would kind of you know lower that risk score. From there they would then use a whole bunch of executable HTML code which all resides in memory because again writing to disk is very very bad. If you are a red team and a new person do not write to disk. They would then start running multiple modules. The first one would check for things like EDR. They would then have another in-memory loader and for some strange reason they then deployed two agents on

every single device because you know redundancy is important. Don't don't do that either but it's what actually happened. So some of the more common malware frameworks that we have observed from this group uh we saw a one called Night Fury. So this was back in 2022. This was kind of uh interesting because it was a new capability that they were developing. So at the time when we did this, it was all written in C++ and they actually had 20 native functions in 20 different spots that they were going to use. However, about 11 of them were just to go into a big loop. So they're doing it, guys. They're trying. All right, we're just pushing the prod and they're

just like us. Just like us. Prior to that, they were using another tool called Alor. This was a delifi based tool. Um, again, this is on GitHub. It's been around forever. I think it was just way too noisy. Everything was transmitted in a clear. It's just really bad OBSAC. No one likes Stealthy. It's a pain. So, they started developing this wonderful night fury tool. Uh, the second one and kind of their main kind of flagship module at the time was a tool called reverse rat. Reverse rat was a custom tool written in.net. It had all of the fun wonderful features we all know and love. You can upload files. You can download files. You can copy the clipboard. You can do

things like play with removable media. You can write to the registry. You can delete the registry key because you realize that's actually the local one and not the HTML one. It's great. So, that was kind of their main tool. We saw this one. This is where I spent a lot of the time just because it had some of those kind of really unique capabilities that kind of in my mind preface that there was this interest in doing more and kind of going after some of these other targets. And then of course, we found their tool called Aries. For those of you who know, this is a publicly open-source project. It's on GitHub. It's a Python based tool. But the fun

thing about this one is it runs on Linux because apparently you can also hack Linux devices. No one ever checks those. [laughter and snorts] And again, once we started doing this, we started to kind of write pictures. Um, I work with Ryan. Ryan loves pictures. So therefore, he asked me to always write pictures. And this is what we get now. So I have to explain to him how this all sort of works. Uh we were able to find some of these C2s and then we were able to start enriching this with our net flow. Uh for those of you who don't know, I work for a wonderful company called Lumen. Lumen used to own level three. Once you own level three,

you get to see net flow and things to traverse through the level three network. You get fun insights into the entire world. This is the result of that. So we are able to start identifying some of those lovely C2s that you'll see right there in the center. Once we identified those C2s, we can start to see who was connecting to those C2s over the known C2 ports. This allowed us to identify some things like the Afghanistani government, couple Telos in Afghanistan. We also saw a couple other connections from things like the Indian government. We saw I want to say I believe it was two different Indian powers. One of them was a power generation, one was power

distribution and things like the Jordanian government. So if you had a strong interest in the Middle East, seems like a pretty good one-stop shop, right? It's awesome. The other fun thing we were able to do with some of our lovely net flow is not only could we identify who the victims were, we started to kind of do what I call working upstream. So we could see who was trying to remotely administrate all of these knowing C2s that we were able to find in things like virus solo from those lovely Y rules we talked about before that I wrote at 11:30 at night that still somehow kind of work. Not great, but kind of. So once we were

able to look at all of that stuff, we could see them RDPing into this and that allowed us to find that kind of second or bottom set of C2s. We were then able to kind of do this and start to build out that more holistic picture. And once we started to do this, we started to see where else they were coming from in Pakistan. If there was any other connections or if I don't know there was any other C2s that were talking to them, that would be so weird. Anyway, let's talk about Hack 5 for a minute. There's no reason at all we're bringing this up. For those of you who don't know, HackF 5

is a commercially available tool. They usually actually have a table out here somewhere. I don't know if they're here or not this year, but the unique thing about them is they provide hardwarebased pen testing tools. So, when I say hardwarebased token, I mean they actually just think like a physical device that you're going to plug into a USB drive or their very common one if you guys have been around has been the Wi-Fi pineapple where you can use that to kind of break into somebody's Wi-Fi. You have, you know, the what's it? land turtle, packet squirrel, all of their lovely things. But the really interesting thing that I was trying to emphasize is the fact that you actually

have to be close enough to a network that you can touch a piece of equipment, which is weird because usually we talk about things like remote operations. The fun thing about this is, again, shout out to our oneway hack 5 guys. They have this lovely banner that they display on port, you know, 8080 where it says, "I'm a hack 5C2." It makes identification of malicious activity just oh so much fun and easy. And again, once we're able to start searching for that banner, we can start to get a couple of IP addresses. We're calling those our lovely command and control servers. Once we have those lovely command and control servers, do you remember that net flow we talked

about in the PL side? We're just going to throw all those IP addresses in and see who's talking to these things. And maybe that can give us some fun insight. And sure enough once we started doing this we found that there was one particular server that was getting a whole bunch of connections from things like Indian governments like Indian national government organizations and a whole bunch of connections from other Indian government organizations that weren't located inside of the area of India probably their ministry of foreign affairs I don't know [snorts] so this was the actual IP address itself it was the 185 217 and the fun thing about this is we saw remote administration from these other two IP

addresses. Um, for those of you who love reading CTI reports and just love to memorize IP addresses like myself, one of those was actually reported on by team Cry. Shout out to Team Cry if you're here. As being a known site copy C2. So, we then have a known confirmed C2 with the confirmed malware sample being used to administrate a known hack 5 server and then that hack 5 server going after basically the exact same governments. But the fun thing is with this particular bottom row, it was a hardwarebased solution. How do you get a hardwarebased solution into a government network? >> Would you like to chime in, sir? >> Somebody has to sneak in and put it

there. >> I mean, I don't know. That's just speculation. I'm not here to speculate. I'm just here to report facts. >> All right. Thank you. We'll get you cran later for lunch. All right. [snorts] So, this is a this is really interesting to me because I I feel like we always talk about proximity based attacks in the abstract as something that doesn't really occur. And in my mind, this is probably only the third document instincts of this occurring. Um, the first and the foremost one that everyone usually thinks about was that lovely attack that happened with the GRU in the Netherlands where they were able to see someone using a hack 5 or a pineapple to

try to break into someone's Wi-Fi because they just wanted to do it that way. Um, there was a second report that came out from Valuxy in which there was another Russian GRU group that was basically hacking into the Wi-Fi right next to their target and using that to kind of bridge over the gap. Um, so again, these things do happen, but reporting and documentation of them is incredibly rare. So this is just kind of my other call was just start looking for this stuff cuz it's probably out there and it's probably happening a lot more than any one of us is actually noticing or talking about. So let's be the change we wish to see in this world.

So after we started doing this, we started looking for other CTS thinking, hey, if they made that mistake once, bet you a dollar they're going to make it again. Maybe we can find some other really interesting command and control nodes that were actually talking to them. And that's when we found this first node. This one did not have any banners at all. In fact, there was no IP history about it at all. There was no domains. There was no scan entries. There was no census. There was pretty much nothing in any of the open source, which made me go, who are you and why are you here? Enter phase two. Let's go hunting for bears. [snorts] So, as we

mentioned, the lovely dog. This is Cookie. I'm not fair. All right, moving on. Secret Blizzard aka Turbula. So, this is the kind of main premise for the talk is this wonderful group called the FSB Center 16. They have a global agreement and they are, I would argue, one of the most sophisticated and most advanced threat actors in the world, bar none. Yes, I'm talking to you. I'm even including China in that talk. They are really cool because they like to do things like this attacker in the middle framework where they will actually hijack connections for legitimate things. There was a great report put out by Microsoft I think about a week or two ago. Um, they also, and this is my f

favorite, started hacking other hackers. And again, who doesn't want to hear a talk about hackers hacking hackers in Vegas, right? They [snorts] also have that wonderful peer-to-peer framework that used to be what they were calling Snake. And they actually use things like satellite for command and control. And again, they're just, you know, it's just I feel like they take pride in their work. And every now and then, you got to acknowledge the fact that, man, these guys are really prideful and they just try that much harder. Unlike, you know, the side copy guys, they don't really try. They just want to kind of get their job done and like school I guess it works but you know it's not fun for us.

We're here to have fun. They are predominantly interested in foreign government entities. So think of governments, think of Ministry of Foreign Affairs, critical infrastructure and of course other hackers that could give them access to everything because that just makes their life easier. And again they're focused predominantly on long-term cyber espionage. Now this was one of I want to say in my mind one of the watershed reports. This was done by our lovely counterparts at the UK NCSC. Uh I believe this was about 2019 at this point, but this was the first documented instincts of Terrella actually hacking into an Iranian group. I believe it was called Hazel Sangtorm. And they were using that to deploy their

own tools. Um and again, this was just kind of that weird moment where everyone always talks about, well, why don't we just hack the hackers and just use that to get all the Xfill and do everything we want to do. This was the first time anyone actually documented this in a public space that we can all now talk to and reference. The way they do this is we've observed three predominant tool sets. Um, and this is the part where I will say we did work with Microsoft. We love those guys. If you're watching, they're amazing. Um, they have three predominant tool sets. The first one is called two dash. Two dash was a super lightweight survey

tool. So it's basically saying am I in a VM? Are you actually running? Is this a real system? can I actually, you know, enumerate things like MAC addresses? And if they said, "Yep, this does look like a real system, we're going to use this to then download an additional module. We're going to decrypt that and we're going to run it all in memory because memory is where you want to live." We then observed a second tool and this is kind of their big one. It's called Tiny Turrella. Um, not to be confused with Tura, who's the actual group. They also have their own little malware family called Tiny. Um, they were basically used to again it persists as a service.

So again, you do have your persistence. they you've seen them use this for years and years on end. The ability to upload, download code, do remote execution and play with things like the registry. Um, this one is a little bit more fun because the binary actually resides exclusively in the registry itself. And if you've ever tried to search the registry of an entire enterprise is a really really long day for you. So it does work and in there they also then actually have the IP addresses in a different registry key. So that way even if you just recover the binary itself in something like memory, you would then need that second component to actually know where they're talking to. And the

last module we saw was Shhatusi. Uh this was used to basically copy the contents of clipboards. Um and again some people say, well why would you want to copy the contents of a clipboard? And I look at someone like Wendy and go, "Hi Wendy, talk to me about One Pass and how everyone just uses a password manager any day and then how you just copy that over and paste it." So if you were to copy the clipboard, you basically just have everyone's, you know, usernames and passwords for pretty much everything. So this is kind of what we saw. This was the initial C2 we were talking about before up there in the top right hand

corner where we saw that starting to communicate with a couple of these Gnome side copy C2s. Um so again at this point we're still trying to enumerate out these sidecopy C2s through a combination of things like net flow, our lovely Yara rules. Uh we were even doing some fun pivoting based off of things like RDP searchs and usernames that are being used across multiple things. It's super fun. And we noticed that at a certain point, I think this was around May of 2023, we saw that there was actually getting beaconings to that tur 2 from a Afghan government IP address. Um, so this was kind of a very unique and interesting thing where you know before

they were hacking the hackers, now they're hacking the hackers to use their C2 to deploy their own malware to a particular network. Why they're deploying their own network. Maybe they just didn't like the way they were doing things. Maybe they had an interest in a different part of the network. Maybe they wanted different files than, you know, the package were grabbing. There was a number of reasons. But again, we believe that the initial access vector was actually someone else's command and control. [snorts] We then actually saw them starting to poke at some of the other C2s and we even saw them starting to poke at the Pakistani ISI operators themselves. Now again, I know that there's probably

going to be one person here who's going to scream pcap or it didn't happen. So this is my pcap or it didn't happen slide. [laughter] So this was the known site copy is or I want to say known copy IP address. This was actually based in Pakistan. Um it does resolve to a real IP address. And then we actually saw this being used to RDP into a known side copy C2. This was the 130 185. Um, and the fun thing about this is you can actually see the first scene and last scene from our lovely telemetry at the exact same time. You'll notice the exact same IP address was also talking to a turtle C2 over its

known 9443 port. And the fun thing is if you look at the first scene and last scene times, it's the exact same time. So again, this is the part where I know someone's going to inevitably say, "But it's a dynamic IP address. There could be multiple things happening. How do you know it's really the operators who are RDPing while Terrell is hacking into them at the exact same minute?" This is the part where I'm going to go, this is about as good as it's probably going to get for us. So yeah. Yeah, I feel pretty good about that assessment that, you know, they actually did manage to move from the command and control servers of

the site copy actors back down to the actual operator's workstation. This was again a huge thing in my mind. We've never actually had a documented instincts of a known nation state threat actor compromising another known nation state threat actors operating workstation. So of course I then called my spirit animal cookie and said hey what do you think of all this? And she said what the duck. So this is kind of what it looked like. Um again we were able to then kind of see them continuously interacting with a whole bunch of these catabo IP addresses and nexiums. We were able to see them continuously interact with the Afghan government for about months on end. I

think we still saw stuff as recently as you know late 2024, early 2025. And then sporadically we would actually see some of these Pakistani IP addresses popping up in our telemetry where they were actually interacting with the exact same turtle IP address that was being used to interact with all the other C2s. Yeah. Yeah, it's fun. So section three the absence of data or when not having any data becomes your main data point. So as we kind of talked about before we are talking about some of the main malware families that we were predominantly being seen from the site copy thread actors. Um so again we have a level report you guys can read it. The main ones were there was a tool

called weiss cotton. This was a gob based tool. We think that they were using this predominantly to go after some some of the like more Linux Unix ecy systems because you know you get that lovely portability that everyone loves. Um action rat this was kind of like a variant of reverse rat. Um this was kind of a little bit different but again x.net is targeting things like Windows systems. We saw crimson rat. So this was actually being used to target things like Android devices. Um again another super well-known documented family. We observe things like alor. Again super well-known documented family. It was written in deli. is being used by everyone and we actually saw the

turtle actors interacting with almost all of them except for the Aries wrap and [snorts] this was the part where I just couldn't quite put my finger on why would you hack into seemingly everything you were on the operator's workstation clearly you have the credentials at that point in time why are you not targeting this one particular group so if anyone here was at Pivicon last year we had our older counterpart Seth gave a wonderful presentation about Aries rat and how he was tracking that shout out to Seth Um, and we were able to start kind of going into this and this is where we started I kind of jumped down this rabbit hole of why is

what is so different about this one particular malware family than all the other ones and why are they not targeting that. Um, and this was again we so we started kind of enumerating out all of their infrastructure. We did that same methodology we talked about in the earlier slides where we were able to kind of see where they were coming from in Pakistan. We were looking for remote connections. We were then able to actually start seeing some of these IP addresses and we saw what looked like, you know, sustained connections to their admin page. Um, fun thing about their admin page, they decided to try to hide themselves as a PFSync firewall in a VPS

because that totally happens in the normal world all the time. And while that might help them evade scanners, if you have something like Neflow, it just stinks like a sore thumb that all of a sudden you're going to see 10,000 connections to some random ephemeral port and this one random thing. And then if you actually do something like URL scan and you see PFS, it it becomes pretty easy and I just don't quite understand why they never targeted this. And then that kind of led me to my next kind of correlation. So we saw our wonderful secret blizzard actor or Tura in the top right hand corner. We saw them hacking into all the C2s. We saw them actually deploying

their stuff to places like the Afghan government. We actually saw them in the Pakistani network. But for some reason, we never actually saw them using that same C2 to deploy any of their malware into places like the Indian-based networks. And this was just kind of a really in my mind interesting data point of why would they go through all this trouble where clearly they had the capability, they have the access, they've done this before. what makes some of these other Indian government targets so different that they don't want to actually deploy any of their own malware. So this is so again kind of going over some of this. We saw them in my mind they

clearly had the capability. They had the capacity to do this stuff but for some reason they didn't. Um so this is kind of when I put on my lovely international relations hat and we started to look at this from a fun geopolitical lens and wondering about the IR and the connections of all of them. Um the only thing I could think of is there was a geopolitical preference to not be discovered in any of these networks. Um the fun unfortunate thing about performing these works of operations is anyone who does them know at some point in time you are going to get caught. It might not happen today. It might not happen tomorrow. It could be a decade

from now. But every single person who has done any sort of hacking event at some point in time runs the risk of getting caught. And if you get caught it's going to cause a bit of a stir. So there is a fun connection between the Indian government and the Russian government. Um, as we kind of well, I think I mentioned this before, Modi was recently reelected in 2024 and his first international visit was to Moscow. Um, so again, that's usually where you signal who your strongest preference is or where you're trying to build relations. Um, so again, I think that there is a whole kind of budding relationship there. Um, there's also some connections where the Russian

government is selling a bunch of their oil over to the Indian government and again, they need to continue to sell that oil to have funds to then prepare for the war that's still going on in Ukraine. Um, there is also this fun thing where a whole bunch of Indians have been being duped into, you know, being conscripted into the Russian army. So again, there might be something where, you know, they're clearly benefiting from this and, you know, they really like the status quo. They might still have kind of what we call this information need or this desire to learn about what's happening in India because it is a large regional player, but they don't might have the political will to

actually get caught doing this. So what do you do when you need to have information about them, but you can't actually be in the network yourself? This is that fun little middle ground where you're like, "I'm not touching you. I'm not touching you. I'm I'm not not I'm not I'm not not touching you, but you're still basically doing exactly that. You're just kind of poking the bear. You're collecting all of that wonderful information you need and you can use that to still kind of answer all the questions that you need to do. Um, and again, this is not my opinions. This is European Council for Foreign Relations in the BBC. So, yeah, good enough for me." [snorts]

Section four, conclusions. So, this was kind of my favorite topic was what happens when you start backdooring other people's back doors. Um, in my mind, there has been five documented cases of Tura doing this. And to my knowledge, I think they're probably one of the only group that's been publicly attributed to performing this actual trade craft. Um, this is kind of, you know, sometimes called a stunt hack or, you know, something where everyone talks about how great it would be if they could do this. Um, this is one of the few groups that's actually putting that into practice. Uh the first one was of course the NCSC thing. There was a second instincts um and this was

documented by Mandian and now Google where they purchased an expired domain and they use that to drop their own tools. Um we've also seen this from secure list where there was a CIS actor who was using Thomas and then they were then dropping their own tools. This is of course the fourth instincts and of course we saw the fifth one which was Amade. Um, if you guys are here and from the cyber crowd crew, you know that this is a well-known malware as a platform service. It's being used by cyber criminals. It's seemingly everywhere and they were using this to get more information about people particularly in Ukraine. So, and kind of the last couple things,

why should I care about any of this? Well, I feel like there's been, as we kind of talked about, a number of cases where we've kind of seen what I call snapshots in time. No one has ever actually done a two-year comprehensive study of what exactly is happening and how they move from one C2 to another back down to the workstation using that to then deploy their own tools. Choosing to go into some networks while not choosing to go on the other networks. Um, I feel like this kind of really helps reveal a lot about like how they think through these problems and how they work through them in a way that you know you're just never going to get if

you just did a lovely IR and you go, "Oh, cool. We found two malware families on the exact same system at the exact same time. That's so weird." it it doesn't really talk about how they view these problems and how they start to think through them and where they decide to go. Um, the other fun thing that this is one of my favorite data points, not only did we see them observe or hack one C2, we observe what looked like signs of compromise or beaconing from 33 different C2s over 2 years. Um, so again, everyone kind of goes, "Oh yeah, well, we think this happens and they probably have access to a bunch of things." This is one of the few examples

where we actually have what I call hard data points to point to and talk about how exactly this is occurring. And again, in my mind, the greatest thing is this is the first time we've actually seen a nation state move back down onto those operator workstations. And at least in my mind, if we know if it's tiny tura, they had persistence, they had the ability to move laterally. If anyone here works in the red team, how many of you guys have edrired on your home workstation where you do all of your operations? And how many of you guys start checking that registry for weird keys? Yeah. Yeah. So, if you were hypothetically on that network, they

probably could have persisted there for a very long time and gotten just absolutely everything that they wanted. [snorts] All right. Some of the fun unsolved questions, as any good person does, you always talk about the unknowns, unknowns, or the things that you weren't quite able to figure out, but maybe some of you guys do. So, if you do, come find me later. I'll buy you a beer. All right. So my first thing was how was site copy able to you know get some of this hack 5 equipment in. Um this is the part where it would indicate that they either hacked some level of access to these facilities. They kind of did something where they were hacking from

the parking lot or they had someone on the inside. But that's just kind of my big thing was I think it's not often we actually get to see these hack 5 devices being used in the wild for real world attacks. And then the question always becomes how are they doing this and do they have some sort of travel team very similar to what we saw from other operators like the GRU. As for deter questions, why did they choose side copy? There's again seemingly every nation in the world has their own hacking organization. There's how many private sector offenses? There's how many cyber criminal groups? There's how many botniks. They could literally target anything. These guys

are actually really really good at what they do. But what was it about this one particular group that made them stop and go, "Yes, that's exactly who I want to start targeting and that's why." Um, the other big question that I don't think we're ever really going to get an answer to was why were they so comfortable doing things like deploying their own malware families and their own tool sets in places like the Afghanistan government, but they seemingly chose not to do that for places like India or Jordan or Iran or some of these other networks where we actually know that the site copy actor had access, but we didn't see anything from the actual

Trello side of things. Um, and again, this was the other fun thing is if we're going full circle back to the very beginning, and the reason this first caught my attention, there was this weird angle where we saw them targeting what looked like power generation and power distribution companies. We know that they had things like USB modules. We know that they had the ability to do things like copy clipboards. We know that they were trying to propagate and we believe that the Pakistanis were just doing that for their own purpose. Um, Secret Blizzard also has their own capabilities to go after some of these critical infrastructures. What happens if you're trying to then do an IR where

you see Turbo walking in with stolen credentials being used by a different actor into that network? This is kind of this fun thing where I know this is where everyone always says and clamors that they want immediate attribution from doing some of these instant responses and they want to know exactly how this happened and what happened. This was something that took me over 2 years to piece apart. So again, if you are one of those directors who's demanding for things, just give your people a little bit more grace and mercy. Sometimes it takes more than five minutes to kind of put all this together. Okay. And at the end um this was actually a joint endeavor as I mentioned

before with our lovely counterparts at Microsoft. There is a great group of guys out there who is focusing on the Russia group. Um they also did their own blogs. They kind of focused a little bit more in the malware. Um that was called operation freeloader and then they did the second one on day. Um we at Lumen kind of focus a lot more at network telemetry because that's kind of our special sauce. Obviously, they're very good at this. And again, better together. Everyone wings except for the Russians, but we don't care about them. Okay. And questions. Sorry, I'm a little early. [applause]

You got me in.

I think it was short by a couple minutes. >> Yeah. >> Thank you. [clears throat] >> Thank you for the great talk. I really enjoyed it. Uh I had a question that you mentioned you saw some evidence of this kind of activity by Turla into possibly 33 33 different C2s of different malware families. So maybe I missed this but some of these were the ones used by the uh Pakistani ISI some of these were maybe the cyber criminal botn nets etc. So it was 33 of the Pakistani ISIS and then there was also cyber criminals over here too but I had to kind of time scope it a little bit otherwise I would just keep doing this forever.

>> So within the 33 that you mentioned all of those were uh Pakist um side copies infrastructure. >> We assessed that all of them were associated with either side copy andor transparent tribe. Uh so it's two different Pakistani based groups. >> Okay. Uh thank you and follow-up question. I didn't really totally understand your last comment about why are there get why would the ISI get into power generation power distribution in India? It seems kind of obvious to me. So what are you saying is why is Tura getting into there as well? I didn't quite understand that. Thank you. >> Yep. So we it does make sense that you know Pakistanis are very interested in India. There's been a a bit of a warm

hot cold conflict there in the car region forever. I'm sure you guys are familiar with this one. Um I I think it was more of the point I was trying to emphasize was that while the Pakistanis appear to be kind of prepositioning themselves, the way you do that is obviously gaining some software access, getting things like admin credentials, getting things like network maps, that's exactly everything that Turlo would need if they wanted to try to then move into that same network. So again, it's one of those things where what happens when you have I want to say side copy performing all of your kind of initial reconnaissance and you're laying out the land and then you have someone like

Turbo coming in on top of that to actually then start hacking that. And if you're someone who you know works for an instant response firm and you're trying to piece all that together, it's going to look very weird and very awkward for you. So again, it's just kind of in my mind trying to bring up the concept that if you see signs of compromise, that means that there could actually be two or three other actors who are also residing in that same network who have used the same trade craft. I hope that makes more sense. If not, I'll find you afterwards. Excellent. No, great talk. I'm curious uh is there any way you're going through

differentiating between Tur purchasing access versus Tur compromising uh groups like side copy and uh and even more broadly across the community? I mean what are some of the indicators around your analysis of how you differentiate between those two? Thank you. >> Yep. So for things like this one um in my mind a little bit easier I we there's been no evidence or documentation that people like copy has ever sold access to anyone. they appear to only be hacking for the purposes of their own geopolitical interest. Um, we've also kind of seen things before with I think some of the AMA days where typically if you purchase access you'll only get access to like a sle or you might get

some information. Um, I think we just saw what looked like just a large amount of data expo from some of the backends that again we only ever see the actual cyber criminals coming in from. So the fact that they're kind of using that same door in my mind indicates that they didn't actually just purchase something. They probably, you know, gained some sort of access. And again, as I mentioned before, these guys are really savvy. They're good at JavaScript. They're good at all this. They probably found some sort of weird, you know, off bypass that. Again, I'm sure you're going to hear all about off bypasses, but things like global strike and stuff like that. They probably have someone

doing something similar. But great question. Anyone else? I'll also be around for, you know, parts of the day, too. So, if you guys have something that you don't want to put on camera, I'm around. [snorts] Cool. Awesome. Thank you, guys. [applause]